[NEWS] Malformed Network Request can cause Office X for Mac to Fail
From: support@securiteam.comDate: 02/13/02
- Previous message: support@securiteam.com: "[NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 13 Feb 2002 13:35:21 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Malformed Network Request can cause Office X for Mac to Fail
------------------------------------------------------------------------
SUMMARY
Office X contains a network-aware anti-piracy mechanism that detects
multiple copies of Office using the same product identifier (PID) running
on the local network. This feature, called the Network Product
Identification (PID) Checker, announces Office's own unique product ID and
listens for other announcements at regular intervals. If a duplicate PID
is detected, Office shuts down.
A security vulnerability results because of a flaw in the Network PID
Checker. Specifically, the Network PID Checker does not correctly handle a
particular type of malformed announcement - receiving one such
announcement causes the Network PID Checker to fail. When the Network PID
fails like this, the Office v. X application will fail as well. If more
than one Office v. X application were running when the packet was
received, the first application launched during the session would fail. An
attacker could use this vulnerability to cause other users' Office
applications to fail, with the loss of any unsaved data. An attacker could
construct and send this packet to a victim's machine directly, by using
the machine's IP address. Alternatively, he could send this same directive
to a broadcast and multicast domain and attack all affected machines.
DETAILS
Affected software:
* Microsoft Office v. X
Mitigating factors:
* Corporate networks could be protected against Internet-based attacks by
following standard firewalling practices (specifically, blocking ports
2222, those greater than 3000 traffic).
* Best practices recommends blocking both multicast and broadcast packets
at the perimeter firewall.
* At best, an attacker could cause the running Office application that
was loaded first to fail. There is no opportunity for an attacker to
create, delete, or modify Office data.
* Even a successful attack would not have any effect on the overall
system, other applications or any Office application beyond the first one
loaded.
Patch availability:
Download locations for this patch
* Microsoft Office v. X:
<http://www.microsoft.com/mac/download>
http://www.microsoft.com/mac/download
What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use it
to cause a running Office X application to fail, forcing the user to
restart the application. Any unsaved data when the application crashed
would be lost.
An attack would not affect the stability of the underlying operating
system, nor allow an attacker to alter or delete data. In addition, a
successful attach could only cause one application to fail on a machine:
specifically, the first Office v. X application loaded of those running
when the attack occurs. All other Office v. X applications would continue
to function normally.
What causes the vulnerability?
The vulnerability results because the network PID checking feature fails
to handle exceptional circumstances properly.
What is Network PID Checking?
Each legally purchased and installed copy of Microsoft software has a
unique Product Identifier (PID). This Identifier can be seen in most
applications by going to "Help" "About". The unique PID is listed there.
Network Product Identification Checking is an anti-piracy feature new to
Office X for OS X. When an Office X application starts, it announces its
PID on the local network at regular intervals. It also listens on the
local network for new PID announcements. If at any point, an installation
of Office X detects a copy of its own PID, Office shuts down on both
systems.
What's wrong with Network PID Checking?
There is an implementation flaw in the Network PID Checking feature. The
Network PID checking fails to handle especially malformed network requests
properly. When these circumstances occur or an especially malformed
request is received, Office X does not handle the condition gracefully and
fails.
How could an attacker exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by sending a
specially crafted network packet one of two ways: they could attempt to
send the packet directly to a single user's machine; or, they could
attempt to send this packet to all the computers on a subnet by specifying
a broadcast address.
How would an attack directed at a single user work?
To attack a single user's machine, the attacker would send the especially
malformed packet to the user's IP address. The advantage of this type of
attack is that he could mount an attack on any machine they could deliver
an IP packet to. This would allow an attacker to potentially mount attacks
over great distances.
However, to succeed, the attacker would need to know the IP address of the
intended victim. In most cases, IP addresses are assigned by Dynamic Host
Configuration Protocol (DHCP) and so a single machines IP address can
change.
In addition, a directed attack like this would have to use the destination
ports that the Network PID Checker uses: 2222 and those greater than 3000.
Most corporations block inbound traffic on high ports such as these as a
best practice.
How would an attack directed at a broadcast or multicast address work?
To attack many users on a subnet, the attacker would send the especially
malformed packet to that network's broadcast or multicast address. The
advantage to this type of attack is that the attacker could deliver their
malicious packet to all computers on a subnet, potentially causing many
users' Office application to fail.
The disadvantage to this attack method is that most routers and firewalls
do not forward multicast or broadcast packets. As a result, an attacker
would most likely only be able to disrupt Office applications on a single
network segment.
What could an attacker do via this vulnerability?
An attacker could cause the Office X applications on the victims machine
to fail, forcing the user to restart. While any unsaved data would be
lost, there would be no opportunity for the attacker to alter data.
Additionally, an attacker could not run programs or destabilize the
operating system in any way.
If several Office X applications were running when an attack was launched,
would all of them fail?
No. Only the first application that a user had loaded would fail. Any
other applications that were running at the time would continue to run
normally. For example, if a user had starting Word and Excel in that
order, and then received the malformed packet, Word would fail, but Excel
would continue to function. The user could then restart Word, and continue
working.
Is it possible for these circumstances or packets to occur by accident?
No In nearly every case, the network traffic or packets would have to be
handcrafted by a user with malicious intent.
I'm running Office on a PC. Could I be affected?
No. The network PID checking feature discussed is only available in Office
v. X
I'm using Mac OS X, but I'm using a version of Office other than Office v.
X. Could I be affected?
No. The network PID checking feature discussed is only available in Office
v. X.
What does the patch do?
The patch eliminates the vulnerability by allowing the Network PID checker
to operate successfully under exceptional circumstances and to discard
malformed packets.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secure@MICROSOFT.COM>
Microsoft Security Response Center.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
